Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.

GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories.

“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats,” said Mike Hanley, chief security officer, GitHub.

The OAuth (Open Authorization) is an open standard authorization framework or protocol for token-based authorization on the internet. It enables the end-user account information to be used by third-party services, such as Facebook and Google.
Infosec Insiders Newsletter

OAuth doesn’t share credentials instead uses the authorization token to prove identity and acts as an intermediary to approve one application interacting with another.

Incidents of stolen or found OAuth tokens commandeered by adversaries are not uncommon.

Microsoft suffered an OAuth flaw in December 2021, where applications (Portfolios, O365 Secure Score, and Microsoft Trust Service) were vulnerable to authentication issues that enables attackers to takeover Azure accounts. In order to abuse, the attacker first registers their malicious app in the OAuth provider framework with the redirection URL points to the phishing site. Then, the attacker would send the phishing email to their target with a URL for OAuth authorization.

Analysis of The Attacker’s Behavior 

GitHub analysis the incident include that the attackers authenticated to the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added, most most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories,” Hanley said. “GitHub believes these attacks were highly targeted,” he added.

GitHub said it is in the process of sending the final notification to its customer who had either Travis CI or Heroku OAuth apps integrated into their GitHub accounts.

Initial Detection of The Malicious Activity

GitHub began the investigation into the stolen tokens on April 12, when the GitHub Security first identified unauthorized access to the NPM (Node Package Management) production infrastructure using a compromised AWS API key. These API keys were acquired by attackers when they downloaded a set of private NPM repositories using stolen OAuth token.

The NPM is a tool used to download or publish node packages via the npm package registry.

The OAuth token access is revoked by Travis CI, Heroku, and GitHub after discovering the attack, and the affected organizations are advised to monitor the audit logs and user account security logs for malicious activity.


Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Suggested articles